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DETAILED ACTION 

Response to Remarks/Arguments 

1 . In response to communications filed on 07/1 5/2008, Applicant's arguments with 
respect to the pending claims have been fully considered but they are moot in view of 
new ground(s) for rejection. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-4 are rejected under 35 U.S.C. 102(e) as being unpatentable over Teal 
(US Patent No. 6,477,651 B1). 

Regarding claim 1 , Teal, discloses a method for automatically identifying 
common content to use in identifying an intrusive network attack comprising: 
obtaining a collection of data (4:23-25 - "data collected") to be analyzed to 
identify the network attack (4:5-46 - "data collector converter 14 is used for each 
type of network data collected from the network"); reducing said data items in 
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said collection to reduce said data collection to a reduced data collection of 
reduced data items, wherein the reduced data items in the reduced data 
collection have a smaller size (4:16-27 - "predetermined formats") and a 
constant predetermined relation with data items in the data collection (4:16-27 - 
"predetermined formats") and at least some of the data items in the data 
collection that differ are reduced to the same reduced data item and analyzing a 
plurality of said reduced data items to detect common elements (4:33-34 - 
"network data to look for specific patterns "), said analyzing reviewing for 
common content indicative of a network attack (4:5-46 - "data collector 
converters 14 collect the network data and convert the network data into 
predetermined formats for analysis" and "Intrusion detection analysis engine 16 
analyzes network data to look for specific patterns that indicate malicious activity 
on the network"). 

Regarding claim 2 , Teal , discloses a method as in claim 1, wherein said 
analyzing comprises determining frequently occurring sections of message 
information (4:5-46 - "Intrusion detection analysis engine 16 analyzes network 
data to look for specific patterns that indicate malicious activity on the network. 
These patterns, known as signatures, are generally unique to each type of 
vulnerability of network.") 
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Regarding claim 3 , Teal , discloses a method as in claim 1, wherein said 
analyzing comprises determining that increasing number of sources and 
destinations that are sending and/or receiving data (4:19-27 - "Data source 12 
can include network routers and servers that provide network traffic data, audit 
trail data, system information data, and other data sources. In one embodiment, 
a data collector converter 14 is used for each type of network data collected from 
the network.") 

Regarding claim 4 , Teal , discloses a method as in claim 1 , further comprising 
analyzing for the presence of a specified type of code within said collection of 
data (col. 1 lines 60-67 - "analyzing an incoming data packet from the public 
network. The incoming data packet is then matched against known forms of 
attack on the private network."). 

Claim Rejections - 35 USC § 103 

3 The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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Claims 5-35, 69-79 and 88-89 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Teal (US Patent No. 6,477,651 B1 ) and further in view of 
Adiaoute (US Patent No. 7,089,592 B2). 

Regarding claim 5 , Teal , is silent in disclosing after said analyzing determines 
said frequently occurring sections of message information, carrying out an 
additional test on said frequently occurring sections of message information, 
however, Adiaoute does provide such a disclosure (1 1 :1 9-31 - "model 
component 54 is a program that takes data associated with an electronic 
transaction and decides whether the transaction is fraudulent ... [it] also takes 
data associated with network usage and decides whether there is network 
intrusion ... [and] consists of an extensible collection of integrated sub-models 
55, each of which contributes to the final decision"). 

It would have been obvious for one of ordinary skill in the art, at the time of 
the invention to have been motivated to combine the inventions of Teal 
and Adjaoute because both inventions are directed towards intrusion 
detection systems which analyze network data in determining risks. The 
motivation and benefit for the combination/modification of Teal is provided 
by Adjaoute, which recites, "[it is] desirable to provide systems and 
methods for dynamic detection and prevention of electronic fraud and 
network intrusion that are able to detect and prevent fraud and network 
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intusion acreoss multiple networks and industries ... [and] that employ an 
integrated set of intelligent technologies." 



Regarding claim 6 , Teal , discloses a method as in claim 5, wherein said carrying 
out the additional test comprises looking for an increasing number of at least one 
of sources and destinations of said frequently occurring sections of message 
information (4:19-27 - "Data source 12 can include network routers and servers 
that provide network traffic data, audit trail data, system information data, and 
other data sources. In one embodiment, a data collector converter 14 is used for 
each type of network data collected from the network."). 



Regarding claim 7 , Teal , discloses a method as in claim 5, wherein said carrying 
out the additional test comprises looking for code or opcode (operation code) 
within the frequently occurring sections (4:33-39 - "Intrusion detection analysis 
engine 16 analyzes network data to look for specific patterns that indicate 
malicious activity on the network"). 



Regarding claim 8 , Teal , discloses a method wherein said reducing said data 
items comprises carrying out a hash function on said data items (4:33-39 - 
"These patterns, known as signatures, are generally unique to each type of 
vulnerability of the network."). 
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Regarding claims 9 and 11-14 , Teal , discloses a method wherein said 
determining frequently occurring sections comprises: 

• using at least first, second and third data reduction techniques on each 
said data item, to obtain at least first, second and third reduced data 
items, counting said first, second and third reduced data items (Figure 22 
and 19:7-28) and 

• establishing said frequently occurring sections when all of said at least first 
second and third reduced data items have a frequency of occurrence 
greater than a specified amount (19:29-42). 

It would have been obvious for one of ordinary skill in the art, at the 
time of the invention to have been motivated to combine the inventions of 
Teal and Adjaoute because both inventions are directed towards intrusion 
detection systems which analyze network data in determining risks. The 
motivation and benefit for the combination/modification of Teal is provided 
by Adjaoute, which recites, "[it is] desirable to provide systems and 
methods for dynamic detection and prevention of electronic fraud and 
network intrusion that are able to detect and prevent fraud and network 
intusion acreoss multiple networks and industries ... [and] that employ an 
integrated set of intelligent technologies." 
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Regarding claim 10 , Teal , discloses a collection of data items comprises a 
portion of the network payload (4:16-27). 

Regarding claim 15 , Teal , discloses a method as in claim 14, wherein said first 
and second monitoring comprises reducing information about said destinations, 
and storing at least one table about said data reduced information (4:23-25). 

Regarding claim 16 , Teal , discloses a method as in claim 10, wherein said 
collection of data items further comprises a portion of a network header 
(Rejected under the same rationale as claim 10). 

Regarding claim 17 , Teal , discloses a method as in claim 1 1 , wherein said 
portion of a network header comprises a port number indicating a service 
requested by a network packet (Rejected under the same rationale as claim 7). 

Regarding claim 18 , Teal , discloses a method as in claim 17, wherein said port 
number comprises a source port or a destination port (Rejected under the same 
rationale as claim 7). 

Regarding claim 19 , Teal , discloses a method as in claim 1 , wherein said data 
items comprise a first subset of a network packet including payload and header; 
and the method further comprises obtaining a second subset of the same 
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network packet for subsequent analysis (Rejected under the same rationale as 
claim 10). 

Regarding claim 20 , Teal , discloses method as in claim 1, further comprising 
forming a plurality of data items from each of a collection of network packets, 
each of said plurality of data items comprising a specified subset of the network 
packets (Rejected under the combined rationales as claim 1). 

Regarding claim 21 , Teal , discloses a method as in claim 1 , further comprising 
forming a plurality of data items from each of a collection of network packets, 
each of said plurality of data items comprising a continuous portion of payload 
and information indicative of a port number indicating a service requested by the 
network packet (Rejected under the combined rationales as claims 1 1 and 20). 

Regarding claim 22 , Teal , discloses a method as in claim 2, wherein said 
reducing said data items and said determining frequently occurring sections 
comprises: taking a first hash function of said data items first maintaining a first 
counter, with a plurality of stages, and incrementing one of said stages based on 
an output of said first hash function; taking a second hash function of said data 
items; and second maintaining a second counter, with a plurality of stages, and 
incrementing one of said stages of said second counter based on an output of 
said second hash function (Rejected under the combined rationales as claim 8). 
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Regarding claim 23 , Teal , discloses a method as in claim 22, further comprising 
checking said one of said stages of said first counter and said one of said stages 
of said second counter against a threshold, and identifying a first reduced data 
item as associated with frequently occuring content only when both said one of 
said stages of said first counter and said one of said stages of said second 
counter are both above said threshold (Rejected under the same rationale as 
claim 11). 

Regarding claim 24 , Teal , discloses a method as in claim 23, further comprising 
adding the first reduced data item to a frequent content buffer table (Rejected 
under the same rationale as claim 1 1 ). 

Regarding claim 25 , Teal , discloses a method as in claim 24, further comprising 
taking at least a third hash function of said data items, and incrementing a stage 
of at least a third counter based on said third hash function, where said 
identifying said first reduced data item as associated with frequently occurring 
content only when all of said stages of each of said first, second and third 
counters are each above said threshold (Rejected under the same rationale as 
claim 8). 
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Regarding claim 26 , Teal , discloses a method as in claim 22, further comprising 
obtaining said data items by taking a first part of messages, and subsequently 
obtaining a new data items by taking a second part of the messages (Rejected 
under the same rationale as claim 1 ). 

Regarding claim 27 , Teal , discloses a method as in claim 26, wherein at least 
one of said hash functions comprises an incremental hash function (Rejected 
under the same rationale as claim 8). 

Regarding claim 28 , Teal , discloses a method as in claim 3, wherein reducing 
said data items comprise hashing at least one of the source or destination, to 
form a collection of hash values, first determining a unique number of said hash 
values, and second determining a number of said one of source or destination 
addresses based on said first determining (Rejected under the same rationale as 
claim 8). 

Regarding claim 29 , Teal , discloses a method as in claim 28, further comprising 
scaling the hash values prior to said second determining (Rejected under the 
same rationale as claim 8). 



Regarding claim 30 , Teal , discloses a method as in claim 29, wherein said 
scaling comprises scaling by a first value during a first counting session, and 
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scaling by a second value during a second measurement session (Rejected 
under the same rationale as claim 8). 



Regarding claim 31 . Teal , discloses a method as in claim 7, wherein said 
detecting code comprises looking for a first valid opcode at a first location, based 
on said first valid opcode, determining a second location representing an offset to 
said first valid opcode, and looking for a second valid opcode at said second 
location (Rejected under the same rationale as claim 7). 



Regarding claim 32 , Teal , discloses a method as in claim 31 , further comprising 
establishing that a first section includes code when a predetermined number of 
valid opcodes are found at proper distances (Rejected under the same rationale 
as claim 7). 



Regarding claim 33 , Teal , discloses a method as in claim 1 , further comprising, 
determining a list of first computers that are susceptible to a specified attack, and 
monitoring only messages directed to said first computers for said specified 
attack (Rejected under the same rationale as claim 1). 



Regarding claim 34 . Teal , discloses a method of claim 33 where said monitoring 
comprises checking for a message that attempts to exploit a known vulnerability 
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to which a computer is vulnerable, as said specified attack (Rejected under the 
same rationale as claim 1). 



Regarding claim 35 , Teal , discloses a method as in claim 34, wherein said 
checking comprises checking for a field that is longer than a specified length 
(Rejected under the same rationale as claim 1). 



Regarding claim 69 , Teal , discloses a method for automatically identifying 
common content to use in identifying an intrusive network attack, comprising: 
monitoring network content on a network, and obtaining at least portions of the 
data on said network; data reducing said portions of the data using a data 
reduction function which reduces said portions of the data to reduced data 
portions in repeatable manner, such that each portion which has the same 
content is reduced to the same reduced data portion and at least some of the 
portions that differ are reduced to the same reduced data portion; analyzing said 
reduced data portions to find network content which repeats a specified number 
of times, and to establish said network content which repeats said specified 
number of times as frequent content; identifying address information of said 
frequent content, wherein the address information includes at least one of source 
information or destination information that characteristizes the respective of 
sources and/or destinations, of said frequent content, and determining if a 
number of sources and/or destinations of said frequent content is increasing; and 
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identifying the frequent content as associated with the network attack, based on 
said identifying and determining (Rejected under the same rationale as claim 1). 

Regarding claim 70 , Teal , discloses a method as in claim 69, wherein said 
monitoring network content comprises obtaining both portions of the data on the 
network, and portnumbers indicating a services requested by network packets 
(Rejected under the same rationale as claims 17 and 18). 

Regarding claim 71 , Teal , discloses a method as in claim 70, wherein said 
obtaining portions of the network data comprises: defining a window which 
samples a first portion of network data at a first time in accordance with a 
position of the window, and sliding said window to a second position at a second 
time which samples a second portion of said network data wherein said second 
position has a specified offset from the first portion (Rejected under the same 
rational as claim 1). 

Regarding claim 72 , Teal , discloses a method as in claim 71 , wherein said data 
reduction function comprises a hash function (Rejected under the same rationale 
as claim 8). 
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Regarding claim 73 , Teal , discloses a method as in claim 72, wherein said data 
reduction function comprises an incremental hash function Rejected under the 
same rationale as claim 8). 

Regarding claim 74 , Teal , discloses a method as in claim 69, wherein data 
reducing said portions comprises using said data reduction function in a scalable 
configuration (Rejected under the same rationale as claim 8). 

Regarding claim 75 , Teal , discloses a method as in claim 69, wherein said 
identifying comprises second data reducing said address information using a 
data reduction function, and maintaining a table of data reduced address 
information (Rejected under the same rationale as claim 1). 

Regarding claim 76 , Teal , discloses a method as in claim 75, wherein said 
second data reducing comprises hashing said address information (Rejected 
under the same rationale as claim 8). 

Regarding claim 77 , Teal , discloses a method as in claim 69, further comprising 
testing contents of the frequent content to determine the presence of code in said 
frequent content (Rejected under the same rationale as claim 7). 



Application/Control Number: 10/822,226 Page 16 

Art Unit: 2136 

Regarding claim 78 , Teal , discloses a method as in claim 77, wherein said 
testing contents comprises identifying an opcode in said frequent content, 
determining a length of the opcode, and looking for another opcode at a location 
within said frequent content based on said length Rejected under the same 
rationale as claim 7). 

Regarding claim 79 , Teal , discloses a method as in claim 69, further comprising 
monitoring for scanning of addresses (Rejected under the same rationale as 
claim 11). 

Regarding claim 88 . Teal discloses a method for automatically identifying 
common content to use in identifying an intrusive network attack, comprising: 
obtaining a collection of data items to be analyzed to identify the network attack; 
reducing said data items in said collection to reduce said data collection to a 
reduced data collection of reduced data items, wherein the reduced data items in 
the reduced data collection have a smaller size and a constant predetermined 
relation with data items in the data collection and at least some of the data items 
in the data collection that differ are reduced to the same reduced data item; 
analyzing a plurality of said reduced data items to determine frequently occurring 
sections of message information indicative of a network attack; and carrying out 
an additional test on said frequently occurring sections of message information, 
comprising maintaining a first list of unassigned addresses, wherein the 
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unassigned addresses are maintained as reduced addresses that have a smaller 
size and a constant predetermined relation with the unassigned addresses and at 
least some of the unassigned addresses that differ are reduced to the same 
reduced address, forming a second list of source addresses that have sent to the 
unassigned addresses on said first list, wherein the source addresses are 
maintained as reduced addresses that have a smaller size and a constant 
predetermined relation with the source addresses and at least some of the 
source addresses that differ are reduced to the same reduced address, and 
comparing a current source of a frequently occurring section to said second list 
(Rejected under the same rationale as claim 1 and 12). 

Regarding claim 89 . Teal discloses a method for automatically identifying 
common content to use in identifying an intrusive network attack, comprising: 
obtaining a collection of data items to be analyzed to identify the network attack, 
wherein said data items comprise a first subset of a network packet including 
payload and header; reducing said data items in said collection to reduce said 
data collection to a reduced data collection of reduced data items, wherein the 
reduced data items in the reduced data collection have a smaller size and a 
constant predetermined relation with data items in the data collection and at least 
some of the data items in the data collection that differ are reduced to the same 
reduced data item; analyzing a plurality of said reduced data items to detect 
common elements, said analyzing reviewing for common content indicative of a 
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network attack; and obtaining a second subset of the same network packet for 
subsequent analysis (Rejected under the same rationale as claim 1 and 12). 

Conclusion 

4 Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CHINWENDU C. OKORONKWO whose telephone 
number is (571 )272-2662. The examiner can normally be reached on MWF 2:30 - 6:00, 
TR 9:00-3:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on (571) 272 4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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